Security Risks Pokemon Go

What are the security risks playing Pokemon Go?

A few folks have asked me what are the cybersecurity risks playing Pokémon Go. I am sure by now that you either have read articles about the new mobile app Pokémon Go game or have seen groups of people walking around like zombies staring at their smartphone while wandering around looking to capture virtual Pokémon. However, if you have not, here is a bit of a background. A new mobile app was released last week and it instantly become a viral sensation with over 15 million downloads of the game to date on both the Apple IOS Store and the Google play store. It surpassed Tinder, Instagram, and Twitter for usage, going to number one on the Apple and Android app stores. The smartphone game sends people out in the world to capture monsters from the Japanese cartoon franchise. It brings the popular Pokémon characters into the real world. Players walk around to find these virtual Pokémon, and once they are detected, the player has a chance to capture them with the swipe of the smartphone screen to flick a Pokeball.

As a cybersecurity professional, I tend not to be one of the first ones to download a new app or upgrade to a new software version without first waiting to see what security issues or technical issues exist. With Pokémon Go, I was also somewhat cautious about playing the game because this mobile app requires the player to either set up a new account with publisher, Niantic, directly or they ask the player to sign up using a google account. When I use a mobile app requiring a log in to play, I usually set up a separate account with a unique password for that account only. I tried doing that with their Pokémon Trainer accounts, but their servers were overwhelmed and I was not able to set up a dummy account. The reason I use dummy accounts is that I have no idea how robust their security is for protecting the login and password data. I also have no idea what the company plans to do with the captured information and how secure its servers are. Therefore, if by chance, those app servers are hacked, I do not need to go and change all the other accounts I use the same password for login. Since I could not set up an account with the publisher directly, I held off logging in with my Google account until I had some time to look into any security issues.

Sure enough, after the initial launch of the game, a security researcher/blogger indicated that when the player signed up with their google account from on IOS device, the terms of service the player agreed to includes a statement saying that the player is giving the game developer access to everything on their google account. However, if like most folks, the player probably did not read the fine print. Which means the person has just given the publisher the right to read their emails, address books, Google docs, and see where they have been. Now, I highly doubt that Niantic and Google intended for this app to be a means to compromise the player’s data. It most likely was just carelessness on their part when developing the user agreement and access requirements. The fact is Niantic is a spinoff of Google, and they were careless in requesting full access rights, which Google usually only has for their own apps. Niantic said in a statement in a statement that it did not use that access for ill and that so far it has accessed only user IDs and email addresses. Niantic and Google have issued a fix though in the latest update to the app.

Another cybersecurity threat with the Pokémon Go game is the incentive it provides for hackers and criminals. Something this popular is sure to provide an attractive threat vector for hackers to compromise. For instance, hackers released a malicious version of the mobile app into the wild 72 hours after the game debuted. Also, a host of Pokémon websites will developed by cyber criminals and hackers with the intent of getting the players to click on a link that downloads malware to their mobile device or computer, or providing PII to the criminal who can later use that information for identify theft.

With respect to privacy, Pokémon Go taps into all kinds of information, including the phones GPS information including location history, current location, and the amount of time someone spent in a given place, geolocation data, and more. This data is ultimately being stored by the developer and most likely be sold to other companies. In addition, reading the game’s privacy policy, it shows that the publisher gathers personal email addresses, birth dates, and privacy settings of your Facebook or Google accounts, which your privacy settings permit them to have. The company may also log the Internet Protocol (IP) address of the user’s computer, the web page they visited before clicking on Pokémon Go, and what pages and search terms they used on the site, among other data.

Therefore, before you play any mobile game such as Pokémon Go, we recommend the following cybersecurity safeguards to protect and yourself from cyber threats:

If you were one of the first ones to sign up with your Google email account and still feel uncomfortable with the publisher having full access to your account, you can still deny access by going into the Google settings and revoking permissions. You will see it say Pokémon Go release has full access to your Google account, thus you just click on revoke it. You can also delete the mobile App and reinstall the newer version, but you might lose the initial progress you made in the game. But, losing the few Pokemon that you have found is small compared to having the publisher have full access rights your Google account.

Only download the official app from the IOS or Google Play Store. Countries where the Niantic has not released the Pokémon Go game yet have seen folks resort to downloading the Android Package Kits (APK) from third parties. This is extremely risky, as hackers have modified some to include malicious remote access code which gives the attacker full control over the victim’s phone.

Given the popularity of this game, players are sure to be googling on the internet for cheats and hacks to advance them quicker in the game. Scammers and hackers are already on top of this and most likely developing fake websites offering Pokémon Coins and other power-ups from the game in exchange for filling out surveys or visiting questionable websites. Surveys are a means for scammers to collect personal identifiable information in which they can use for identity theft. Therefore, you should be careful when visiting sites related to the Pokémon Go game.

For sites requiring the establishment of an account to login and play, I recommend setting up a dummy email account, which does not use your real name or birthday when setting up the account. In addition, this dummy account does not have the same password that you use for all of you other important accounts such as your email or banking accounts.

The Pokémon game has as startup menu that tells you to be alert and aware of your surrounds. Mobile features such as Pokestops and lures can affect the player’s personal safety. Cyber criminals and thieves use the Pokestops geolocation feature to identify an area that individuals were likely to visit, taking advantage of their distraction and relative isolation when they arrive. Therefore, one safety measure is to make sure you have a password lock on your phone which protections your PII and access to your other accounts if your physical safety is compromised and your phone is stolen.

Make sure your privacy settings for Facebook and Google are set up securely if you are using your google or Facebook accounts to sign up for accounts on these or other gaming sites. This will limit the data that gaming publishers have access to when using these accounts to sign up for gaming and other accounts.

Given the popularity of Pokémon Go, new mobile apps hoping to achieve the same popularity are sure to follow. I did finally sign up using a fake google account I have set up for games and joined the millions of others who downloaded the game, but this is after assessing the cyber risks with playing the game. We recommend always assessing the cyber risks before jumping on board the next mobile app game. Happy Pokémon Hunting!